好友
阅读权限20
听众
最后登录1970-1-1
|
【文章标题】: 超级RM转换大师 V1.10算法简单分析
【文章作者】: evilangel
【软件名称】: 超级RM转换大师 V1.10
【下载地址】: 自己搜索下
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
通过下消息断点,可以跟到关键地方,也可以通过DEDE按钮事件来这儿,就不分析如何找到这儿的了,简单分析下了!
004C0128 /. 55 push ebp
004C0129 |. 8BEC mov ebp, esp
004C012B |. 6A 00 push 0
004C012D |. 6A 00 push 0
004C012F |. 53 push ebx
004C0130 |. 8BD8 mov ebx, eax
004C0132 |. 33C0 xor eax, eax
004C0134 |. 55 push ebp
004C0135 |. 68 E8014C00 push 004C01E8
004C013A |. 64:FF30 push dword ptr fs:[eax]
004C013D |. 64:8920 mov fs:[eax], esp
004C0140 |. 8D55 FC lea edx, [ebp-4]
004C0143 |. 8B83 20030000 mov eax, [ebx+320]
004C0149 |. E8 7E43FAFF call 004644CC
004C014E |. 8B45 FC mov eax, [ebp-4] ; //获取用户名位数
004C0151 |. E8 3E44F4FF call 00404594
004C0156 |. 85C0 test eax, eax ; //判断是否输入了用户名
004C0158 |. 75 29 jnz short 004C0183
004C015A |. 6A 40 push 40
004C015C |. 68 F4014C00 push 004C01F4 ; 警告
004C0161 |. 68 FC014C00 push 004C01FC ; 请输入用户名!
004C0166 |. 8BC3 mov eax, ebx
004C0168 |. E8 47ABFAFF call 0046ACB4
004C016D |. 50 push eax ; |hOwner
004C016E |. E8 216FF4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004C0173 |. 8B83 20030000 mov eax, [ebx+320]
004C0179 |. 8B10 mov edx, [eax]
004C017B |. FF92 C4000000 call [edx+C4]
004C0181 |. EB 4A jmp short 004C01CD
004C0183 |> 8D55 F8 lea edx, [ebp-8]
004C0186 |. 8B83 24030000 mov eax, [ebx+324]
004C018C |. E8 3B43FAFF call 004644CC ; //获取注册码位数
004C0191 |. 8B45 F8 mov eax, [ebp-8]
004C0194 |. E8 FB43F4FF call 00404594
004C0199 |. 85C0 test eax, eax ; //判断是否输入了注册码
004C019B |. 75 29 jnz short 004C01C6
004C019D |. 6A 40 push 40
004C019F |. 68 F4014C00 push 004C01F4 ; 警告
004C01A4 |. 68 0C024C00 push 004C020C ; 请输入注册码!
004C01A9 |. 8BC3 mov eax, ebx
004C01AB |. E8 04ABFAFF call 0046ACB4
004C01B0 |. 50 push eax ; |hOwner
004C01B1 |. E8 DE6EF4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004C01B6 |. 8B83 24030000 mov eax, [ebx+324]
004C01BC |. 8B10 mov edx, [eax]
004C01BE |. FF92 C4000000 call [edx+C4]
004C01C4 |. EB 07 jmp short 004C01CD
004C01C6 |> 8BC3 mov eax, ebx
004C01C8 |. E8 47F9FFFF call 004BFB14 ; //关键call
004C01CD |> 33C0 xor eax, eax
004C01CF |. 5A pop edx
004C01D0 |. 59 pop ecx
004C01D1 |. 59 pop ecx
004C01D2 |. 64:8910 mov fs:[eax], edx
004C01D5 |. 68 EF014C00 push 004C01EF
004C01DA |> 8D45 F8 lea eax, [ebp-8]
004C01DD |. BA 02000000 mov edx, 2
004C01E2 |. E8 1141F4FF call 004042F8
004C01E7 \. C3 retn
004C01E8 .^ E9 473AF4FF jmp 00403C34
004C01ED .^ EB EB jmp short 004C01DA
004C01EF . 5B pop ebx
004C01F0 . 59 pop ecx
004C01F1 . 59 pop ecx
004C01F2 . 5D pop ebp
004C01F3 . C3 retn
关键call进入后来到
004BFB14 $ 55 push ebp
004BFB15 . 8BEC mov ebp, esp
004BFB17 . 33C9 xor ecx, ecx
004BFB19 . 51 push ecx
004BFB1A . 51 push ecx
004BFB1B . 51 push ecx
004BFB1C . 51 push ecx
004BFB1D . 51 push ecx
004BFB1E . 53 push ebx
004BFB1F . 56 push esi
004BFB20 . 57 push edi
004BFB21 . 8945 FC mov [ebp-4], eax
004BFB24 . 33C0 xor eax, eax
004BFB26 . 55 push ebp
004BFB27 . 68 65FC4B00 push 004BFC65
004BFB2C . 64:FF30 push dword ptr fs:[eax]
004BFB2F . 64:8920 mov fs:[eax], esp
004BFB32 . 8B45 FC mov eax, [ebp-4]
004BFB35 . E8 92020000 call 004BFDCC ; //关键call
004BFB3A . 84C0 test al, al
004BFB3C . 0F84 DB000000 je 004BFC1D ; //跳向注册失败
004BFB42 . 33C0 xor eax, eax
004BFB44 . 55 push ebp
004BFB45 . 68 01FC4B00 push 004BFC01
004BFB4A . 64:FF30 push dword ptr fs:[eax]
004BFB4D . 64:8920 mov fs:[eax], esp
004BFB50 . B2 01 mov dl, 1
004BFB52 . A1 00B84300 mov eax, [43B800]
004BFB57 . E8 A4BDF7FF call 0043B900
004BFB5C . 8BD8 mov ebx, eax
004BFB5E . BA 02000080 mov edx, 80000002
004BFB63 . 8BC3 mov eax, ebx
004BFB65 . E8 36BEF7FF call 0043B9A0
004BFB6A . B1 01 mov cl, 1
004BFB6C . BA 7CFC4B00 mov edx, 004BFC7C ; software\zy\conver
004BFB71 . 8BC3 mov eax, ebx ; //注册信息保存位置,带有重启验证
004BFB73 . E8 8CBEF7FF call 0043BA04
004BFB78 . 8D55 F4 lea edx, [ebp-C]
004BFB7B . 8B45 FC mov eax, [ebp-4]
004BFB7E . 8B80 20030000 mov eax, [eax+320]
004BFB84 . E8 4349FAFF call 004644CC
004BFB89 . 8B45 F4 mov eax, [ebp-C]
004BFB8C . 8D55 F8 lea edx, [ebp-8]
004BFB8F . E8 F08BF4FF call 00408784
004BFB94 . 8B4D F8 mov ecx, [ebp-8]
004BFB97 . BA 98FC4B00 mov edx, 004BFC98 ; name
004BFB9C . 8BC3 mov eax, ebx
004BFB9E . E8 FDBFF7FF call 0043BBA0
004BFBA3 . 8D55 EC lea edx, [ebp-14]
004BFBA6 . 8B45 FC mov eax, [ebp-4]
004BFBA9 . 8B80 24030000 mov eax, [eax+324]
004BFBAF . E8 1849FAFF call 004644CC
004BFBB4 . 8B45 EC mov eax, [ebp-14]
004BFBB7 . 8D55 F0 lea edx, [ebp-10]
004BFBBA . E8 C58BF4FF call 00408784
004BFBBF . 8B4D F0 mov ecx, [ebp-10]
004BFBC2 . BA A8FC4B00 mov edx, 004BFCA8 ; pass
004BFBC7 . 8BC3 mov eax, ebx
004BFBC9 . E8 D2BFF7FF call 0043BBA0
004BFBCE . 8BC3 mov eax, ebx
004BFBD0 . E8 CB38F4FF call 004034A0
004BFBD5 . 6A 40 push 40
004BFBD7 . 68 B0FC4B00 push 004BFCB0 ; 软件注册
004BFBDC . 68 BCFC4B00 push 004BFCBC ; 注册成功, 下次启动本软件将解除所有限制功能!
004BFBE1 . 8B45 FC mov eax, [ebp-4]
004BFBE4 . E8 CBB0FAFF call 0046ACB4
004BFBE9 . 50 push eax ; |hOwner
004BFBEA . E8 A574F4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004BFBEF . 8B45 FC mov eax, [ebp-4]
004BFBF2 . E8 590FFCFF call 00480B50
004BFBF7 . 33C0 xor eax, eax
004BFBF9 . 5A pop edx
004BFBFA . 59 pop ecx
004BFBFB . 59 pop ecx
004BFBFC . 64:8910 mov fs:[eax], edx
004BFBFF . EB 36 jmp short 004BFC37
004BFC01 .^ E9 7A3DF4FF jmp 00403980
004BFC06 . 8B45 FC mov eax, [ebp-4]
004BFC09 . E8 420FFCFF call 00480B50
004BFC0E . 8B45 FC mov eax, [ebp-4]
004BFC11 . E8 F6000000 call 004BFD0C
004BFC16 . E8 CD40F4FF call 00403CE8
004BFC1B . EB 1A jmp short 004BFC37
004BFC1D > 6A 40 push 40
004BFC1F . 68 B0FC4B00 push 004BFCB0 ; 软件注册
004BFC24 . 68 ECFC4B00 push 004BFCEC ; 注册失败,请检查用户名与注册码!
004BFC29 . 8B45 FC mov eax, [ebp-4]
004BFC2C . E8 83B0FAFF call 0046ACB4
004BFC31 . 50 push eax ; |hOwner
004BFC32 . E8 5D74F4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004BFC37 > 33C0 xor eax, eax
接着进入这个关键call
004BFDCC /$ 55 push ebp
004BFDCD |. 8BEC mov ebp, esp
004BFDCF |. B9 04000000 mov ecx, 4
004BFDD4 |> 6A 00 /push 0
004BFDD6 |. 6A 00 |push 0
004BFDD8 |. 49 |dec ecx
004BFDD9 |.^ 75 F9 \jnz short 004BFDD4
004BFDDB |. 51 push ecx
004BFDDC |. 53 push ebx
004BFDDD |. 56 push esi
004BFDDE |. 8BF0 mov esi, eax
004BFDE0 |. 33C0 xor eax, eax
004BFDE2 |. 55 push ebp
004BFDE3 |. 68 E1FE4B00 push 004BFEE1
004BFDE8 |. 64:FF30 push dword ptr fs:[eax]
004BFDEB |. 64:8920 mov fs:[eax], esp
004BFDEE |. 8D55 F8 lea edx, [ebp-8]
004BFDF1 |. 8B86 24030000 mov eax, [esi+324]
004BFDF7 |. E8 D046FAFF call 004644CC
004BFDFC |. 8B45 F8 mov eax, [ebp-8] ; //假码
004BFDFF |. 8D55 FC lea edx, [ebp-4]
004BFE02 |. E8 7D89F4FF call 00408784
004BFE07 |. 8B45 FC mov eax, [ebp-4] ; //假码
004BFE0A |. 50 push eax
004BFE0B |. 8D55 EC lea edx, [ebp-14]
004BFE0E |. 8B86 20030000 mov eax, [esi+320]
004BFE14 |. E8 B346FAFF call 004644CC
004BFE19 |. 8B45 EC mov eax, [ebp-14] ; //用户名位数
004BFE1C |. 8D55 F0 lea edx, [ebp-10]
004BFE1F |. E8 6089F4FF call 00408784
004BFE24 |. 8B55 F0 mov edx, [ebp-10]
004BFE27 |. 8D4D F4 lea ecx, [ebp-C]
004BFE2A |. 8BC6 mov eax, esi
004BFE2C |. E8 03010000 call 004BFF34 ; //关键call
004BFE31 |. 8B55 F4 mov edx, [ebp-C] ; //得到真码
004BFE34 |. 58 pop eax
004BFE35 |. E8 A648F4FF call 004046E0
004BFE3A |. 75 50 jnz short 004BFE8C ; //注册码不对,就给ebx清零,再给eax
004BFE3C |. B3 01 mov bl, 1 ; //注册码对了,给BL为1,在给eax
下面有一句,delphi经典的给值
004BFEE8 . 8BC3 mov eax, ebx
004BFEEA . 5E pop esi
004BFEEB . 5B pop ebx
004BFEEC . 8BE5 mov esp, ebp
004BFEEE . 5D pop ebp
004BFEEF . C3 retn
那么就是算法的地方了,接着进入这个关键call
004BFF34 /$ 55 push ebp
004BFF35 |. 8BEC mov ebp, esp
004BFF37 |. 51 push ecx
004BFF38 |. B9 04000000 mov ecx, 4
004BFF3D |> 6A 00 /push 0
004BFF3F |. 6A 00 |push 0
004BFF41 |. 49 |dec ecx
004BFF42 |.^ 75 F9 \jnz short 004BFF3D
004BFF44 |. 51 push ecx
004BFF45 |. 874D FC xchg [ebp-4], ecx
004BFF48 |. 53 push ebx
004BFF49 |. 56 push esi
004BFF4A |. 57 push edi
004BFF4B |. 8BF9 mov edi, ecx
004BFF4D |. 8955 FC mov [ebp-4], edx
004BFF50 |. 8B45 FC mov eax, [ebp-4] ; //用户名给eax
004BFF53 |. E8 2C48F4FF call 00404784
004BFF58 |. 33C0 xor eax, eax
004BFF5A |. 55 push ebp
004BFF5B |. 68 F5004C00 push 004C00F5
004BFF60 |. 64:FF30 push dword ptr fs:[eax]
004BFF63 |. 64:8920 mov fs:[eax], esp
004BFF66 |. 8BC7 mov eax, edi
004BFF68 |. E8 6743F4FF call 004042D4
004BFF6D |. 8B45 FC mov eax, [ebp-4]
004BFF70 |. E8 1F46F4FF call 00404594
004BFF75 |. 8BF0 mov esi, eax ; //得到用户名的位数
004BFF77 |. 85F6 test esi, esi
004BFF79 |. 7E 26 jle short 004BFFA1 ; //如果用户名位数小于等于0跳走
004BFF7B |. BB 01000000 mov ebx, 1 ; //ebx给1
004BFF80 |> 8D4D EC /lea ecx, [ebp-14]
004BFF83 |. 8B45 FC |mov eax, [ebp-4] ; //用户名给eax
004BFF86 |. 0FB64418 FF |movzx eax, byte ptr [eax+ebx-1] ; //依次去用户名每一位,转化为16进制,给eax
004BFF8B |. 33D2 |xor edx, edx ; //edx清零
004BFF8D |. E8 6E8BF4FF |call 00408B00
004BFF92 |. 8B55 EC |mov edx, [ebp-14] ; //每一位的16进制给edx
004BFF95 |. 8D45 F8 |lea eax, [ebp-8]
004BFF98 |. E8 FF45F4FF |call 0040459C
004BFF9D |. 43 |inc ebx
004BFF9E |. 4E |dec esi
004BFF9F |.^ 75 DF \jnz short 004BFF80
004BFFA1 |> 8B45 F8 mov eax, [ebp-8] ; //上面的循环,相当于将用户名转化为ASCII码,设为A
004BFFA4 |. E8 EB45F4FF call 00404594
004BFFA9 |. 8BF0 mov esi, eax ; //得到的A的位数,也就是用户名位数的两倍
004BFFAB |. 85F6 test esi, esi
004BFFAD |. 7E 2C jle short 004BFFDB
004BFFAF |. BB 01000000 mov ebx, 1
004BFFB4 |> 8B45 F8 /mov eax, [ebp-8] ; //将A给eax
004BFFB7 |. E8 D845F4FF |call 00404594 ; //得到A的长度,设为B
004BFFBC |. 2BC3 |sub eax, ebx ; //B-1
004BFFBE |. 8B55 F8 |mov edx, [ebp-8] ; //将A给edx
004BFFC1 |. 8A1402 |mov dl, [edx+eax] ; //取A的第B-1位,A的位数从第0位开始
004BFFC4 |. 8D45 E8 |lea eax, [ebp-18]
004BFFC7 |. E8 F044F4FF |call 004044BC
004BFFCC |. 8B55 E8 |mov edx, [ebp-18]
004BFFCF |. 8D45 F4 |lea eax, [ebp-C]
004BFFD2 |. E8 C545F4FF |call 0040459C
004BFFD7 |. 43 |inc ebx ; //ebx加1
004BFFD8 |. 4E |dec esi ; //esi减1
004BFFD9 |.^ 75 D9 \jnz short 004BFFB4
004BFFDB |> 8D45 F8 lea eax, [ebp-8] ; //这里相当于将A从最后一个数开始读,最后变成C
004BFFDE |. 50 push eax
004BFFDF |. B9 04000000 mov ecx, 4
004BFFE4 |. BA 01000000 mov edx, 1
004BFFE9 |. 8B45 F4 mov eax, [ebp-C]
004BFFEC |. E8 0348F4FF call 004047F4
004BFFF1 |. 8D45 F4 lea eax, [ebp-C]
004BFFF4 |. 50 push eax
004BFFF5 |. B9 04000000 mov ecx, 4
004BFFFA |. BA 05000000 mov edx, 5
004BFFFF |. 8B45 F4 mov eax, [ebp-C]
004C0002 |. E8 ED47F4FF call 004047F4
004C0007 |. 8B45 F8 mov eax, [ebp-8] ; //取C的前四位
004C000A |. E8 8545F4FF call 00404594
004C000F |. 83F8 04 cmp eax, 4 ; //如果不够四位,不跳进行计算
004C0012 |. 7D 2F jge short 004C0043
004C0014 |. 8B45 F8 mov eax, [ebp-8]
004C0017 |. E8 7845F4FF call 00404594
004C001C |. 8BD8 mov ebx, eax
004C001E |. 83FB 03 cmp ebx, 3
004C0021 |. 7F 20 jg short 004C0043
004C0023 |> 8D4D E4 /lea ecx, [ebp-1C]
004C0026 |. 8BC3 |mov eax, ebx ; //位数给eax
004C0028 |. C1E0 02 |shl eax, 2 ; //eax*4
004C002B |. 33D2 |xor edx, edx
004C002D |. E8 CE8AF4FF |call 00408B00
004C0032 |. 8B55 E4 |mov edx, [ebp-1C]
004C0035 |. 8D45 F8 |lea eax, [ebp-8]
004C0038 |. E8 5F45F4FF |call 0040459C
004C003D |. 43 |inc ebx
004C003E |. 83FB 04 |cmp ebx, 4
004C0041 |.^ 75 E0 \jnz short 004C0023 ; //位数*4,给相应位上,构成新的第一个四位
004C0043 |> 8B45 F4 mov eax, [ebp-C] ; //再取四位
004C0046 |. E8 4945F4FF call 00404594
004C004B |. 83F8 04 cmp eax, 4
004C004E |. 7D 2F jge short 004C007F
004C0050 |. 8B45 F4 mov eax, [ebp-C]
004C0053 |. E8 3C45F4FF call 00404594
004C0058 |. 8BD8 mov ebx, eax ; //如果不够四位,计算剩下的位数
004C005A |. 83FB 03 cmp ebx, 3
004C005D |. 7F 20 jg short 004C007F
004C005F |> 8D4D E0 /lea ecx, [ebp-20]
004C0062 |. 8BC3 |mov eax, ebx ; //位数给eax
004C0064 |. C1E0 02 |shl eax, 2 ; //eax*4
004C0067 |. 33D2 |xor edx, edx
004C0069 |. E8 928AF4FF |call 00408B00
004C006E |. 8B55 E0 |mov edx, [ebp-20]
004C0071 |. 8D45 F4 |lea eax, [ebp-C]
004C0074 |. E8 2345F4FF |call 0040459C
004C0079 |. 43 |inc ebx
004C007A |. 83FB 04 |cmp ebx, 4
004C007D |.^ 75 E0 \jnz short 004C005F ; //位数*4,给相应位上,构成新的第二个四位
004C007F |> 8D45 F0 lea eax, [ebp-10]
004C0082 |. BA 0C014C00 mov edx, 004C010C ; rmconv268d58k
004C0087 |. E8 E042F4FF call 0040436C ; //这里进行的是将rmc换成大写
004C008C |. 8D45 DC lea eax, [ebp-24] ; //变成RMConv268d58k
004C008F |. 50 push eax
004C0090 |. B9 04000000 mov ecx, 4
004C0095 |. BA 01000000 mov edx, 1
004C009A |. 8B45 F0 mov eax, [ebp-10]
004C009D |. E8 5247F4FF call 004047F4
004C00A2 |. FF75 DC push dword ptr [ebp-24] ; //取RMConv268d58k前四位RMCo
004C00A5 |. 68 24014C00 push 004C0124 ; -
004C00AA |. FF75 F8 push dword ptr [ebp-8] ; //用-与C的前四位连起来
004C00AD |. 8D45 D8 lea eax, [ebp-28]
004C00B0 |. 50 push eax
004C00B1 |. B9 05000000 mov ecx, 5 ; //从RMConv268d58k第5为开始取
004C00B6 |. BA 05000000 mov edx, 5 ; //取5位
004C00BB |. 8B45 F0 mov eax, [ebp-10]
004C00BE |. E8 3147F4FF call 004047F4
004C00C3 |. FF75 D8 push dword ptr [ebp-28] ; //得到是nv268
004C00C6 |. 68 24014C00 push 004C0124 ; -
004C00CB |. FF75 F4 push dword ptr [ebp-C] ; //再用-把C的第二个四位连接起来
004C00CE |. 8BC7 mov eax, edi
004C00D0 |. BA 06000000 mov edx, 6
004C00D5 |. E8 7A45F4FF call 00404654 ; //得到完整的注册码
004C00DA |. 33C0 xor eax, eax
004C00DC |. 5A pop edx
004C00DD |. 59 pop ecx
004C00DE |. 59 pop ecx
004C00DF |. 64:8910 mov fs:[eax], edx
004C00E2 |. 68 FC004C00 push 004C00FC
004C00E7 |> 8D45 D8 lea eax, [ebp-28]
004C00EA |. BA 0A000000 mov edx, 0A
004C00EF |. E8 0442F4FF call 004042F8
004C00F4 \. C3 retn
004C00F5 .^ E9 3A3BF4FF jmp 00403C34
004C00FA .^ EB EB jmp short 004C00E7
004C00FC . 5F pop edi
004C00FD . 5E pop esi
004C00FE . 5B pop ebx
004C00FF . 8BE5 mov esp, ebp
004C0101 . 5D pop ebp
004C0102 . C3 retn
--------------------------------------------------------------------------------
【算法总结】
1、将用户名转化成ASCII码,设为A,然后反向排列(即最后一位排到第一位,第一位就自然推到最后一位了),得到的设
为C
2、固定码为:rmconv268d58k,将其转换成RMConv268d58k
3、组合注册码:RMCo-(C的前四位)nv268-(C的第二个四位)
4、如果用户名位数少于4位的话就要进行相应的计算,相应位上为位数*4,即如果用户名只有一位,那么生成的ASCII只有
两位,那么第一个四位组成就是**8C,第二个四位就是048C了!
演示:
用户名大于等于四位时:
用户名:evilangel
ASCII(即A):6576696C616E67656C
那么C:C65676E616C6966756
所以注册码为:RMCo-C656nv268-76E6
用户名小于四位时:
用户名:e
ASCII(即A):65
C:56
注册码为:RMCo-568Cnv268-048C
说明:这个没什么技术含量,对算法有些不熟悉,有错误之处还望指出
--------------------------------------------------------------------------------
2009年03月25日 22:36:13 |
免费评分
-
查看全部评分
|
发表于 2009-3-25 22:48
发表于 2009-3-25 22:55
发表于 2009-4-1 18:33
